






HARDWARE VULNERABILITIES AND BIOS/UEFI SECURITY 



HARDWARE VULNERABILITIES 


MELTDOWN AND SPECTRE 
JANUARY 2018 

•Variant 1: Bounds Check Bypass - CVE-2017-5753 
•Variant 2: Branch Target Injection - CVE-2017-5715 
•Variant 3: Rogue Data Cache Load -CVE-2017-5754 
•Variant 3a: Rogue System Register Read - CVE-2018-3640 
•Variant 4: Speculative Store Bypass - CVE-2018-3639 


MELTDOWNPRIME AND 
SPECTREPRIME 
FEBRUARY 2018 

SpectrePrime code proposed by researchers as 
a proof of concept leads to the success of 
99.95% of the attacks on an Intel processor 
{the success rate of the usual attacks by 
Spectre reaches 97.9%). 


GLITCH 
MAY 2018 

The specialists successfully tested the GLitch 
technique on an Android device with Chrome 
and Firefox browsers. They were able to 
compromise the device in just 2 minutes. To 
exploit the attack technique, all they had to do 
was to upload the malicious JavaScript code to 
the target device. 


TLBLEED 
JULY 2018 

It was demonstrated that cryptographic keys 
and other important data can be extracted 
from another running program with a 
minimum success rate of 98%. Despite the fact 
that the vulnerability was not identified with 
CVE, OpenBSD developers decided not to 
support Hyper-Threading in Intel processors. 


99.95% 

success rate when 
using SpectrePrime 

2 MINUTES 

needed to 
compromise an 
Android-based device 
using the GLitch 
technique 

98% 

success rate of the 
attack and 
cryptographic keys 
extraction using 

TLBIeed 





BIOS/UEFI THREATS 


LOW THREAT ACTIVITY 


Mebromi/ 

BlOSkit 


ACPI 

Rootkit 


Ice Lord 
Rootkit 


Move to UEFI world 
with Secure Boot 


Wir 

iCIH Compi 

jtrace 
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DEITYBOUNCE 


BadBIOS 

Hysteria 


BIOS 

Patching 


Rakshasa 


PCI OptRom SMM 

Rootkit Rootkit 


LOW RESEARCH ACTIVITY 


Dream 

Boot 


2014 


MS Win10: Virtualization 
Based Security Era 


TARGETED ATTACKS 


DerStarke 


HT rkloader 


BANANABALLOT 


Darth 

Venamis 


2015 


I 

I Light Eater 
I 


I 


SMMbackdoor 


Memory 

Sinkhole 


2016 


2017 t 2018 


ThinkPwn 
PEIbackdoor 


LOJAX 

First backdoor 
detected in the wiid 


1st SecureBoot 
Bypass 


Thunderstrike 

I 


Thunderstrike2 SMM->VMM 


6 new CVE in BIOS on 
BlackHat by Alex Matrosov 
Intel Boot Guard bypass by 
Alex Ermolov 


HIGHT RESEARCH ACTIVITY 


https://www.biackhat.com/docs/asia-17/materiais/asia-17-Matrosov-The-UEFI-Firmware-Rootkits-Mvths-And-Reaiitv.pdf 











































APT. ESPIONAGE IS THE MAIN TASK 


Q 


HOME DEVICES ARE 
A NEW TARGET 


• Undetectable penetration vector 

• Even stealthier method of data 
collection 

• Creates more opportunities to attack 
other devices in a local network 

• Good persistence 


30% OF APT GROUPS USE 
LEGAL FRAMEWORKS 


METASPLOIT 

♦ Turla 

♦ Lazarus 

♦ OilRig 

♦ Charming Kitten 

♦ Newscaster Team 

♦ APTS2 

♦ MuddyWater 


COBALT STRIKE 

• APT17 

• APTIO 

• TEMP. Periscope 












• APT28 
Russia 

• Turla 
Russia 

• Lazarus 
North Korea 

• APT15 China 

• Thrip China 

• Charming Kitten 
Iran 

• Mustang Panda 
China 

• Dragonfly Russia 

• Orangeworm 

• Gorgon Group 
Pakistan 

• TEMP.Periscope 
China 

• Newscaster Team 
Iran 


APT, ESPIONAGE IS THE MAIN TASK 


EUROPE 


APAC 



MIDDLE EAST a AFRICA 



RUSSIA 



Lazarus 
North Korea 

APT28 

Russia 

APT15 

China 

Tick 

China 

BlackEnergy 

Russia 

Dragonfly 

Russia 

TEMP.Periscope 
China 

Orangeworm 

Gorgon Group 
Pakistan 

PowerPool 


DarkHotel 
North Korea 

Lazarus 
North Korea 

Thrip 

China 

APT32 

Vietnam 

Mustang Panda 
China 

APT37 
North Korea 

Slingshot 

USA 

Kimsuky 
North Korea 

Andariel 
North Korea 

Tick 

China 


• BlackEnergy 
Russia 

• APT28 
Russia 

• Charming Kitten 
Iran 

• Orangeworm 

• MuddyWater 
Iran 

• Sidewinder 
India 

• Chafer 
Iran 

• APT-C-35 

• Rancor 

• TEMP.Periscope 
China 

• APT17 
China 


OilRig 

Iran 

APT37 
North Korea 

Slingshot 

USA 

Newscaster Team 
Iran 

APT34 

Iran 

APT33 

Iran 


Equation - USA 
APTIO-China 
APT17 - China 
PlugX - China 
Prikormka - Ukraine 
APT28 - Russia 
BlackEnergy - Russia 
PowerPool 


OPEN SOURCES ONLY PUBLISH INFORMATION 
ON AHACKS ORIGINATING IN DEVELOPING COUNTRIES 










APT. ESPIONAGE IS THE MAIN TASK 



LATE 2017T0 EARLY 2018 


FEBRUARY 2018 


JANUARY TO MAY 2018 


FINANCE 

BlackEnergy attacks Japanese 
banks with ONI ransomware. 


COVERT TARGETS 

BadRabbit: mass attacks to 
conceal real targets under 
attack. 

VPNFilter: about 500,000 
routers in 54 countries were 
infected. One module was 
detecting SCADA systems. 


POWER ENGINEERING OLYMPICS 2018 FINANCE 


BlackEnergy: espionage in 
SCADA systems without impact 

Triton: framework for 
manipulating Safety 
Instrumented System by 
Schneider Electric with the real 
accident. 


APT28: Olympic Destroyer was 
used to disable the official 
website of the Olympics and 
Wi*Fi at the stadium; it also 
affected live broadcast of the 
opening ceremony. 


Lazarus puts 9,000 
computers and more 
than 500 servers out of 
action after Banco de 
Chile and Bancomext 
robbery. 


COVER-UP TRANSACTIONS 


• Real sabotaging attacks are covered by smoke walls. 

• The infrastructure is prepared in advance to create 
smoke walls. 



PREDICTIONS: HARDWARE VULNEARBILITIES AND APT THREATS 


((»)) FIRMWARE AND 
A SIDE-CHANNEL AHACKS 


NEXT TARGET OF 
^ FIRMWARE THREATS; 


• They will become the main research vector 
of APT attackers. 

• Current security solutions are not ready 
for such challenges. 


• Motherboard manufacturers 

• Vendors that supply hardware 
to state authorities 

• Small/new cloud services 


S FLATS/HOUSES AND 
PERSONAL DEVICES 

• New priority when protecting secrets 
and business. 

• In the private and public sectors these 
networks lack due attention. 


^ CRITICAL 

INFRASTRDCTURE 

• Initial penetration through vulnerable 
network hardware, not phishing. 

• Self-replicating ransomware will be 
used to attack air-gapped networks. 



ATTACKS TARGETED AT BANKS 
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INTERNET BANKING. ARMCBR. SWIFT. ^ 

PAYMENT GATEWAYS. CARD PROCESSING. ATM 




CORKOW 


BUHTRAP 



ARMCBR 
(SWIFT ANALOG) 


ARMCBR 
(SWIFT ANALOG) 


P n D AI T atm. CARD PROCESSING. 
uUDHLI SWIFT. PAYMENT GATEWAY 


MONEYTAKER 


Oil CMPC atm. CARD PROCESSING. 
OlLCIlUC ARMCBR 



LAZARUS 


SWIFT. 

CARD PROCESSING 


BLACKENERGY 


SABOTAGE 


fRU 


TRADITIONALLY, THE THREAT FOR THE FINANCIAL SECTOR COMES FROM 
RUSSIAN-SPEAKING ATTACKERS. 




















AHACKS TARGETED AT BANKS: INTERBANK SYSTEMS 



JAN 2015 


DEC 2016 


DEC 2017 


MAY 2018 


Ecuador, Banco del Austro Turkey, AkBank 

$12 million theft Lazarus 

$4 million theft 


Russia, bank 

Cobalt 

$1 million theft 

339,5 million RUB attempt 


Chile, Banco de Chile 

Presumably Lazarus 
$10 million theft 


FEB 2016 

APR 2017 

FEB 2018 

Bangladesh, Central Bank 

Middle East, Latin America 

Bulgaria, Buigarian Bank 

Lazarus 

Tha Shadow Brokers published 

Cobalt 

$951 million attempt 

Information about Equation 

Unsuccessful attempt 

$81 million theft 

1 

Group’s SWIFT attacks 

1 
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APR 2016 


OCT 2017 


FEB 2018 


Ukraine, Credit Dnepr bank 

Cobalt 

$950,830 theft 
$10 million attempt 

Hong Kong bank (Unknown) 

Cobalt 


OCT 2015 


FEB 2017 


Vietnam, Tien Phong Bank Poland, Banks 

(TP Bank) Lazarus 

$1,36 million attempt 


Taiwan, Far Eastern 
International Bank 
Lazarus 

$60 million attempt, 
most were recovered 

Nepal, NIC Asia Bank 

Presumably Lazarus 
$4,4 million attempt 
$580,000 theft 


India, Punjab Bational Bank 

$1,7 million theft 

India, City Union Bank 

$1,87 million theft 


JAN 2018 

Mexico, Bancomext 

Presumably Lazarus 
$110 million theft 


APR 2018 

Mexican banks 

Mexican central bank 
informed about $18 
million SWIFT thefts 


SWIFT 

2 groups are the threat to SWIFT: Lazarus and Cobalt 

3 times more incidents 

$26 min is the average volume of a theft attempt 


LOCAL INTERBANK SYSTEMS 

They are also targets, but there is no data on the attacks 
ARM CBR was attacked only once by MoneyTaker 














AHACKS TARGETED AT BANKS; INTERBANK SYSTEMS 


□ 


ATTACKS ON ATMS 



CARD PROCESSING 


They draw attackers' attention This is still the main way to monetize access 

again. Two groups: MoneyTaker to the banking network in all groups, 

and Silence have created new 

Trojans for this purpose. Lazarus started using this theft method. 



PAYMENT GATEWAYS 


This theft method is only used by the 
Cobalt group. 

There were no new attempts after 
the 2017 attacks. 



RUSSIA IS NOT 
A PRIORITY ANYMORE 


All Russian-speaking groups started with attacks 
in Russia. 

Attacks in Russia are not the priority anymore, 
and all groups attack foreign banks. 












PREDICTIONS: ATTACKS TARGETED AT BANKS 



AHACKS OUTSIDE 
RUSSIA 


COMBINED THEF 
B METHODS 


First and foremost; we should expect a lot 
of attacks from Silence. 

Local cybercrime groups will start 
conducting similar attacks. Above all, we 
expect growth in the APAC Region. 


Lazarus should be expected to steal via 
SWIFT and card processing at the same 
time. 

Cybercrime groups will steal via ATMs and 
card processing. 

Using ransomware after attack completion 
can become a trend. 


INITIALPENFRATIONVECIDR 
° ISCHANGING 



NEW GROUPS 


Phishing is still the main vector. 

Some groups will start trying to 
penetrate banks through web 
vulnerabilities and vulnerable network 
hardware. 


After the arrests of Cobalt and Fin7 
participants, we can expect new criminal 
groups to appear. 

Toplel and RTM are the most likely ones to 
form new groups. 




PC TROJANS 



STAGNANT DEVELOPMENT WORLDWIDE 


BANK PC TROJANS LANDSCAPE 


Activity and efficiency of banking Trojans fall all over the world. 

Arrest of Neverquest, GozNym, and Andromeda loader authors hit hard. 
Owners of large botnets use them to install ransomware. 


LOCAL NATURE 

Each threat became local and affects 3 to 5 countries on average. 


RUSSIA 

RTM 

Buhtrap2 

Toplel 


AUTOMATIC TRANSFER SYSTEMS (ATS] 

New: BackSwap is the only Trojan with new techniques: a 
developer's console and a bookmarklet. 


WORLD 


Iced ID 

BackSwap 

DanaBot 

MnuBot 

Osiris 

Xbot 

Shifu 

Qadars 

Sphinx 

Tinba 

Emotet 

Dridex 

Trickbot 

Gozi (ISFB, Ursnif) 
Quakbot (Qbot) 
TinyNuke 
(NukeBot) 

Gootkit 

Ramnit 

ZeusVM (KINS) 

Atmos 

Zeus 

Retefe 

Corebot 

UrIZone Banker 

Panda Banker 





ANDROID TROJANS 



SECURITY BY GOOGLE 

The main reason for restraining Android threats. 

Old Trojan versions do not work on new Android 
versions. 


SLOWDOWN ABROAD 

5 Trojans—Xbot, Abrvall, Vasya, UfoBot, Reich—are no 
longer used due to poor support. 

The most active developer, GanjaMan, who created 
the most popular versions of Trojans, was blocked, 
and his developments are no longer used. 


TROJANS WITH WEB FAKES GLOBALLY 

I Easy I Exobot 2.0 | CryEye | Cannabis 
I Fmif I AndyBot | Loki v2 | Nero Banker 
I Sagawa | Agent.cj • Maza-in • Loki v2 
Alien bot • Rello • Red Alert v2 


STAGNANT DEVELOPMENT IN RUSSIA 

The owners of the two largest botnets. Cron and Tiny.z, were arrested 
Honli botnet was disabled. 

Number of thefts became three times smaller, and damage decreased by 77%. 
Average amount of damage was reduced from 11 to 7 thousand. 
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ATM THREATS 



ATM JACKPOTTWe 

"New" ATM threat. 

Attackers get physical access to an ATM. 

They plug a microcomputer of a smartphone into 
the USB/COM port of a dispenser. 


CUTLET MAKER 

The main reason for the increase in theft using this 
method. 

The software is provided in one package with the 
detailed instruction and an Android app. 

Hacker versions surfaced and led to wider 
distribution. 


MR. MARKAS 

The main software developer for ATM Jackpotting. 


k 1L(I8.2017, 0532 


Unloading ATMs 


Vendor of: 

'^■■mtners 

Mrl^iirkas Ha (jiopyne 
F'eracrpauMfl: 28.05.2010 
CooOMeHnii: 15 
/|erc3MT 0$ ’ 

Busress Level: 48 
floArMCHHM: If ' 

HAHHCATbPM 

noAn^CATboi 


Hello everyone, 

My companion needs reliable people with teams to unload ATMs in all countries 
Special hardware is connected to ATM 
In several minutes ATM spits out all cash 

Installation takes a couple of minutes 

No alarm system will takes during this time 

You take the cash in 2 to 10 minutes if the connection is good 

You can go away from the ATM as many times as you need, you don't have to just stand 
there 

More details in PM 

Include your Jabber and subject 

Note; 

If you already done something for me or dealt with me, including skimmers and decode in 
2009-2015, 

write about this in PM to get priority treatment 



14 





CARDING 



Text data Dumps 


Total 

number 

10218489 

16927777 

Market 

volume 

$95 590 424 

$567791443 

Lowest 

price 

$0.75 

$0.5 

Highest 

price 

$99.99 

$295 

Average 

price 

$9.35 

$33.54 


Median 


$8 


$25 


Total 


27 146266 
$663381867 


1.8 MLN CARDS WERE 
UPLOADED TO CARDSHOPS 

• 62% of data sold is connected to card data 
dumps 

• POS Trojans are the main method of getting the 
dumps 

• Text data accounts for just 17% of all card-related 
market. 
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POS THREAT 



OliKiOt? 

Detecting of new POS 
matwere LockPos 


05.102017 

Sale of new bank trojan 
**Dented Banking Bot” with 
POS-grabber features 

Threat actor • Refreshers 
Forum - exploit.in 


01.122017 

Detectir>g of r>ew 
malware -PiokKite” 


2017 A 


10D920I7 

Sale of Sisyphus POS 
Threat actor • Refreshers 
Forum > exploft.in 


i 


I 


15.112017 

Attacks on pubs 
arxl restaurant 
usir>g Alina POS 


01.102017 

Lazarus cybercrime 
group attacks on South 
Korea with using of 
RatankbaPOS 


i 


2018 


01.1220n 

Sale of source codes of NCR 
Radiant (RPOS) software 
Threat actor • discorb 
Forum • exploit in 


10.112017 

Detection of r>ew 

POS-malware 

“GratefulPOS" 


10il72017 

LockPos campaign 
Brazilian companies 


08D520I8 


Leak of POS malware 
source code 
Threat actor • Unsigned 
Forum * exploit.in 

154122018 

Detecting of new 
malware -UOPoS” 



13.042018 


PoS Malware “Treasure 
Hunted“ Source Code Leaked 
Threat actor • crossair 
Forum«exploit Jn 


04.072018 

Searchirtg for RDP 
with access to POS 

Threat actor • beau 
Forum • exploitin 

i 


0 a 0220 l 8 

Sale of POS sniffer 
source code 
Threat actor • ftp.admin 
Forum * exploit.in 


08.062018 

Sale of source code for 
malware for MagicPos 
Threat actor • cocofresh 
Forum • exploitin 











PREDICTIONS 


II ROUTERS ARE 

“ A POINT OF GROWTH 

♦ Wi-Fi in restaurants will become the main 
method of POS terminal penetration and 
infection. 

♦ Forwarding to phishing by manipulating 
traffic at the router level. 



ATMJACKPOniNG 


♦ In various countries Cutlet is the main tool 
to attack ATMs with physical access. 

♦ We should expect growth in the number 
of logical attacks following banks hacking. 
All groups have relevant Trojans in their 
armory now. 



BANKING 

TROJANS 


0 DAMAGE FOR BANK 
^ CUSTOMERS 


Android Trojans will start to attack 
organizations through contextual advertising 

Android will continue to replace PC Trojans. 

PC Trojan BackSwap and Iced ID can become 
a significant threat for banks in the USA 
and Europe. 


There will be a reduction in all areas 
except for targeted attacks. 

Phishing will be the main source of damage. 




THREATS FOR THE CRYPTOCURRENCY MARKET: 
MANIPULATION WITH THE CRYPTOCURRENCY EXCHANGE RATE 



AHACKERS' TACTICS 


• Phishing website disguised as the 
Chinese exchange Binance 

• Collection of logins and passwords 
of traders 

• Generation of API keys to automate 
operations on the exchange 


• In 2 minutes, generation of trader 
applications for the little-known 
cryptocurrency Viacoin 

• In 30 minutes, Viacoin rate jumped 
by 143% 

• Selling Viacoin via Bitcoin with the 
inflated rate 


$7,20 



2. MAR 3. MAR 4. MAR S.MAR 6. MAR 7. MAR 8. MAR 
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Price (USD) 














THREATS FOR THE CRYPTOCURRENCY MARKET: 51 % AHACK 



Double-spending is considered to be the biggest 
threat to the system. 

Having 51% of computing power, the attacker can 
create a stealthy alternative blockchain and use it 
to confirm an attacker's own transactions. 



Chandler Guo 

@ChandlerGuo 




I am Chandler Guo, a 51% attack on Ethereum Classic (ETC) is 
coming with my 98G hashrate powtopos.com 
15:33-24 moji. 2016 r 



powtopos 
pow to pos 
powtopos.com 


CP 33 Q 61 MenoBeK{a) roBopar o6 3tom 


e 




APRIL 4 MAY 18 MAY 22 JUNES JUNE 6 


VERGE BITCOIN GOLD VERGE 


ZENCASH 


An attacker 
could mine $1 
million worth of 
cryptocurrency. 


An attacker could 
mine $18 million 
worth of 
cryptocurrency. 


SuperNova reported 
that Verge was under 
51% attack and all 
correct blocks are 
rejected. 


An attacker could 
mine $550,000 
worth of 
cryptocurrency. 


LITECOIN CASH 

Litcoin (LTC) fork also 
faced 51% attack. 




THREATS FOR THE CRYPTOCURRENCY MARKET: 
TARGETEO HACKING OF CRYPTO EXCHANGES 


NUMBER OF THEFTS BECAME 5 TIMES LARGER 
COMPARED TO THE PREVIOUS YEAR 


THIRD PARTY ATTRIBUTION FROM OPEN SOURCE 


2016 

$168 

MLN 


2017 

$877 MLN 

61% of the total is 
stolen from Coincheck 



Date 

Name of 

Country 

Criminal 

Stolen in 

Stolen in USD 



Project 


group 

cryptocurrenc 

y 


NORTH KOREA IS THE 

Feb 2017 

Bithumb 

South Korea 

Unknown 

- 

$7 min 

MAIN THREAT 

Apr 2017 

YouBit 

South Korea 

Unknown 

- 

$5,6 min 

Apr 2017 

Yapizon 

South Korea 

Lazarus 

3,816 BTC 

$5,3 min 

$277 k 

5 out of 10 thefts are 

Aug 2017 

Ether Delta 

■ 

Unknown 

■ 

believed to be 

connected to Lazarus 

Aug 2017 

OKEx 

Hong Kong 

Unknown 

- 

$3 min 

Most exchanges \which 

Sep 2017 

Coinis 

South Korea 

Lazarus 

- 

- 

Dec 2017 

YouBit 

South Korea 

Lazarus 

17% of assets 

- 

have become victims 

are from South Korea 

Jan 2018 

Coincheck 

Japan 

Lazarus 

523 min NEM 

$534 min 

YouBit/Yapizon went 

Feb 2018 

Bitgrail 

Italy 

Unknown 

17 min NANO 

$170 min 

bankrupt. 

Jun 2018 

Bithumb 

South Korea 

Lazarus 

11 types of 

$32 min 


Jun 2018 

Coinrail 

South Korea 

Unknown 

$37 min 

cryptocurrency 


Jun 2018 

Bancor 

- 

Unknown 

- 

$23 min 


Sept 2018 

Zaif 

Japan 

Unknown 

- 

$60 min 


TOTAL $877 MLN 









PREDICTIONS 


REDUCTION 

DEMINING 


♦ Cryptojacking boom is over. 

• Trojans are no longer efficient for mining. 



NEWAHACKERS 


• Silence, MoneyTaker, and Cobalt may 
conduct several successful targeted 
attacks on exchanges and the largest 
miners. 


THE LARGEST 
^ MINERS 

• They v\/ill become the main target 
of the pro-government attackers 
to control 51% of power and take over the 
cryptocurrency control. 



It is still the target for hackers. 

However, the number of attacks will 
decline. 





